DECE Geodi CVE-2025-6060
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in DECE Software Geodi allows Cross-Site Scripting (XSS).
This issue affects Geodi: before GEODI Setup 9.0.146.
AnalysisAI
Cross-site scripting in DECE Software Geodi before version 9.0.146 allows authenticated low-privileged remote attackers to inject malicious scripts that execute in other users' browsers, crossing a security scope boundary (S:C). The CVSS vector confirms network-accessible exploitation requiring only low-privilege authentication and victim interaction, making it a realistic internal threat vector in multi-user deployments. No public exploit code identified at time of analysis and EPSS of 0.13% (32nd percentile) signals low exploitation probability, though the scope change elevates post-exploitation impact potential beyond the attacker's own session.
Technical ContextAI
Geodi is a document discovery, search, and management platform developed by DECE Software. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input is incorporated into web page output without adequate sanitization or encoding. The CVSS vector element S:C (Changed Scope) is technically significant: it indicates the injected script executes in the security context of a different principal - typically another authenticated user's browser session - rather than being confined to the attacker's own session. The AV:N/AC:L components confirm the vulnerability is reachable over the network with no special conditions or race conditions required, while PR:L establishes that the attacker must have at minimum a low-privilege account in the Geodi application. No CPE string was provided, but the advisory from Turkish USOM (TR-25-0182) identifies the affected product as Geodi installations running GEODI Setup versions prior to 9.0.146.
Affected ProductsAI
DECE Software Geodi is affected in all versions installed via GEODI Setup prior to version 9.0.146. No CPE string was included in the provided data, so the version range is sourced exclusively from the Turkish National Cyber Incident Response Center (USOM) advisory TR-25-0182, available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0182 and https://www.usom.gov.tr/bildirim/tr-25-0182. Deployments running GEODI Setup 9.0.146 or later are not listed as affected.
RemediationAI
The primary fix is to upgrade to GEODI Setup version 9.0.146 or later, as confirmed by vendor advisory TR-25-0182 published by Turkish USOM (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0182). This is a vendor-released patch and should be the immediate action for all affected deployments. If immediate patching is not feasible, compensating controls should include restricting Geodi access to trusted, authenticated internal users only - removing guest or low-privilege accounts that are not operationally required reduces the attacker's entry point, since PR:L is a hard prerequisite. Additionally, deploying a web application firewall (WAF) with XSS filtering rules on the Geodi web interface can intercept common injection payloads, though WAF bypasses exist and this is not a substitute for patching. Administrators and high-privilege users should be advised not to follow links or browse Geodi-generated content sent from untrusted internal parties until the patch is applied, as UI:R means social engineering of privileged users is the realistic exploitation path.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today